Tricky areas of GDPR compliance
During the course of the employment relationship employers will process a wide range of employees’ personal data, including special categories
The General Data Protection Regulation (GDPR) has fundamentally changed the way companies process their employees’ personal data. For example, to satisfy the heightened transparency requirements under Articles 13 and 14 of the GDPR, HR professionals have been busy drafting or revising employee privacy notices explaining what personal data they collect, for what purposes, on what legal bases, with whom that data will be shared (and whether such sharing involves any overseas transfers), how long the data will be kept and employees’ rights over their data.
During the course of the employment relationship employers will process a wide range of employees’ personal data, including special categories. For example, employers collect health information about their employees to monitor sickness absence and pay statutory (and enhanced) sick pay. Employers may also collect diversity data such as ethnicity, age, sexuality and disabled status as part of their equal opportunities monitoring programmes. One area where the GDPR has had a particularly significant impact is the availability of consent as a legal basis for processing personal data. The GDPR makes clear that employee consent will only be a valid legal basis in very exceptional circumstances, given the imbalance of power in the employment relationship. This is unlikely to present any real issues when processing non-special category personal data as employers can generally justify their processing of such data on another legal ground under Article 6, e.g. that it is either required by the employment contract or by law, or that it is in the employer’s legitimate interests to process the data and those interests outweigh the interests of employees.
When processing special categories of personal data, however, employers have to be able to rely on two legal bases, one under Article 6 and one under Article 9. Although the former is, as noted above, unlikely to be problematic, satisfying Article 9 is likely to be trickier as the Article 9 grounds for processing are very specific and fairly limited. The only legal basis that could cover the standard processing of health information and diversity information undertaken by most employers is that the processing is “necessary for the purposes of carrying out the obligations and exercising specific rights of the [employer] or of the [employee] in the field of employment and social security and social protection law, in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the [employee]” (Article 9(2)(b)).
Employers have an obligation to administer statutory sick pay in accordance with the rules of the statutory scheme that requires employers to be satisfied that the sickness is genuine, and collecting fit notes is an obvious way of satisfying this requirement. Similarly, employers have a legal obligation not to discriminate against employees on any of the protected grounds in the Equality Act 2010, and monitoring employees’ diversity is another obvious way of seeking to meet that requirement. Therefore Article 9(2)(b) is likely to be sufficiently flexible to cover most of the standard ways employers process special categories of data.
The other limbs of Article 9(2), although not as helpful, should not be entirely forgotten as some may be relevant in certain very specific circumstances. For example, the disclosure of health information about an unconscious employee to a paramedic or other emergency healthcare professional could be justified as being “necessary to protect the vital interests of the [employee] or of another natural person where the [employee] is physically or legally incapable of giving consent” (Article 9(2)(c)). The provision of health information to an occupational health advisor could be permitted under Article 9(2)(h) (“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee…[and]…medical diagnosis". Also an employer might be able to rely in some circumstances on the fact that diversity information has been “manifestly made public by the [employee]” (Article 9(2)(e)) when itself processing such data.
In conclusion, the unavailability of consent as a legal basis for processing special categories of personal data has made employers’ lives more difficult, but not impossible. Some careful thought about what data is being processed together with a consideration of the available grounds discussed above should enable employers to carry on processing such data in compliance with the GDPR.
Ann Bevitt is a partner at law firm Cooley